Andreas Schulze wrote:
I think compression isn't the factor for centralized logging in WAN environments. But maybe its nice to have. Imagine your normal messages size is approx. <512Bytes. How many messages you must create/send to flood a 64KB/128KB leased line?
Well I've managed to flood a T1 with syslog traffic from one host before...
We are logging >5000 devices with >15.000.000 messages per day to a centralized syslog-ng server over WAN. Problems we observed are mostly on the central size. The WAN isn't really the bottleneck in most scenarios.
That's really encouraging to hear. My "issue" with WAN congestion was due to an extreme condition caused by one application pouring out syslog messages - enough to flood a T1. I was burnt so badly by it that I've been reluctant to turn WAN-based logging back on again - maybe I shouldn't be... Using TCP instead of UDP would also limit the damage - Slammer showed us all how much better UDP is than TCP at filling pipes... Jason